How to add fake pcap header before parsing

[mhristache]

Hi

I am trying to build a packet sniffer server and I am receiving pcap lib Packets via TCP but without the pcap file header. Is there a way to parse these packets using pcap-parser, e.g. add a pcap file header on the server side before calling the pcap-parser? The datalink type is always the same so that should not be an issue.

Thank you

[chifflier]

Hi, Not sure I understand correctly. If you are receiving encapsulated packets (assuming the encapsulation is pcap, not pcap-ng), there are several options:

• you can call parse_pcap_frame directly on the data, however you'll have to handle the fragmentation (if any)
• if you want to use the streaming API ( LegacyPcapReader ), you'll have to create a struct providing the Read trait. This structure would return a forged legacy pcap header on the first call, which is not too hard to create (see PcapHeader). Most fields are fixed, but you have to know snaplen. linktype is not necessary in the header (it is only called when parsing data). If you use the serialize feature, you can even create the struct and serialize it.

[mhristache]

Thanks for the help! I got it working using the streaming API by creating a forged pcap header then chain it into the original data usin the Read::chain method.